I reported an insecure DKIM key to Deutsche Telekom / T-Systems. They first asked me to further explain things (not sure why 'Here's your DKIM private key' needs more explanation, but whatever...). Then they told me it's out of scope for their bugbounty.

I guess then there's really no reason not to tell you: They have a 384 bit RSA DKIM key configured at: dkim._domainkey.t-systems.nl

384 bit RSA is... how shall I put it? I think 512 bit is the lowest RSA key size that was ever really used. 384 bit RSA is crackable in a few hours on a modern PC (using cado-nfs). The private key is:
-----BEGIN RSA PRIVATE KEY-----
MIHxAgEAAjEAtTliQYV2Xvx1OGkDyOL799BTFEuobY2dn2AgtiKCQgrh78NVK1JK
j0yRXgNnPpGBAgMBAAECMF0t+TBZUCi8xATSMij7VLTxv5Xi5OIXesNiXOKtYIRP
LkpYfR5PggaMScfbmqSssQIZAMwOhm9d7Y7Qi7I2j1AlYbiqdtqO54T7FQIZAONa
9dJFkC6lM3EPXR+0SZ4dqwwpiM0nvQIYYgz8thi5JK264ohq9sTvnu9yKvUN9I09
AhgfgMYZKcxtujRjkSZtMzUUNLYzzDmJe90CGDKwqcBI0v9ChaR8WHht+/chMdxj
7ez94w==
-----END RSA PRIVATE KEY-----

#VeraCrypt's microsoft account is being held hostage by microsoft and, if this comment is legit, so is #WireGuard's.

Embrace, extend, extinguish.

https://news.ycombinator.com/item?id=47687884

https://bmi.usercontent.opencode.de/eudi-wallet/wallet-development-documentation-public/latest/architecture-concept/06-mobile-devices/02-mdvm/

So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function

Absolutely pathetic

This is a crazy, developing story. And here you thought *your* organization's patch management routines were strict: From Christopher Kunz at Heise:

"A serious security vulnerability in the Windchill and FlexPLM products prompted a nationwide police response over the weekend. At the behest of the Federal Criminal Police Office (BKA), officers from across Germany were dispatched to alert affected companies – an unprecedented move. Administrators, whose weekends were disrupted, expressed their irritation – some of whom don't even use the compromised software."

"When the editorial team received a tip late Sunday morning about a critical security vulnerability in Windchill and FlexPLM , it sounded like a routine report: A deserialization vulnerability in specialized software, even with a CVSS score of 10, doesn't cause any alarm at heise security. The situation was apparently quite different at the Federal Criminal Police Office (BKA): By that time, they had already alerted the state criminal police offices (LKA) in various federal states, which dispatched police officers to affected companies during the night. As several readers reported to us in the forum , police officers were standing outside company and private premises in the dead of night."

https://www.heise.de/news/WTF-Polizei-rueckte-Samstagnacht-wegen-Zero-Day-aus-11221345.html